Responding To Detected Attacks; Packet Logging - McAfee M-1250 - Network Security Platform Configuration Manual

McAfee® Network Security Platform 5.1 Overview of IPS settings
In the McAfee® Network Security Policy Editor [formerly IPS Policy Editor], there are
several provided rule sets which match the pre-configured policies. You can view, clone
(copy), and customize these rule sets for your own use.
McAfee recommends two approaches to creating rule sets. The first method is general to
specific. You start with an include rule that covers a broad range of OSs, applications,
protocols. You then create one or more exclude rules to strip away specific OSs, protocols,
et cetera, thus focusing your rule set on the environment where it will be enforced. For
example, you start with an include rule for all Exploit category attacks. You follow this with
multiple exclusion rules that strip away protocols, applications, severities, et cetera, that
will have no impact in a specific zone of your network.
The second method is collaboration. You create multiple include rules within one rule set
for each category, OS, et cetera, combination you want to detect. Each criterion must be
matched in order for an alert to be triggered. For example, your first rule in the set includes
the Exploit category, Unix as the OS, Sendmail as the application, and SMTP as the
protocol. Next, you create another include rule for Exploit, Windows 2000, WindMail, and
SMTP. Each include rule you add broadens the scope of your detection.

Responding to detected attacks

When a McAfee Network Security Sensor (Sensor) detects activity to be in violation of a
configured policy, a preset response from the Sensor is integral to the protection or
prevention process. Proper configuration of responses is crucial to maintaining effective
protection. Critical attacks like buffer overflows and denial of service (DoS) require
responses in real-time, while scans and probes can be logged and researched to
determine compromise potential and the source of the attack. Developing a system of
actions, alerts, and logs based on impact severity is recommended for effective network
security.
Since the Sensors can be installed anywhere in a network, knowing what area a Sensor
protects is important for determining the response type. If installed outside of the firewall,
alerting with response is best used for DoS and other attacks against the firewall. Most
other suspicious traffic types that are not recognized by known signatures intended for the
internal network, including scans and CGI data, are best logged without response, then
analyzed as the impact is not immediate and a better understanding of the potential attack
purpose can be determined.
Note: Setting a response type during policy configuration is critical for an effective
intrusion management system. A list of response options can be seen and
configured at Customizing responses for an exploit attack (on page 19).

Packet logging

Logging attack packets for analysis is an effective means of preparing for future attacks. A
packet log is created by a Network Security Sensor capturing the network traffic around an
offending transmission. An expert in protocol analysis can use the log information to
determine what caused the alert and what can be done to prevent future alerts of the same
nature. Packet logs are retrieved from the database via the Threat Analyzer and can be
opened and examined using a program called Ethereal. By default, UDP and TCP protocol
attacks generate a packet log for the attack plus the previous 128 bytes in the flow.
2